Jump to content

EFS & Virus Infection & Unable to login

Guest Adam

By Guest Adam
in Windows XP

 Share

Recommended Posts

Guest Adam

Guest Adam

Posted
Posted

Hello,

I'm fixing a computer at my work. The computer has been infected with

lots of viruses and malware. Most of the viruses have been removed by

plugging the hard drive into another computer and removing them that way.

 

Unfortunately, one of the users has used EFS to encrypt lots of important

documents. I am unable to login at all, as soon as the welcome screens quits

after successful username and password have been entered the system hangs and

does not complete loading.

 

The installation of windows is not important to me but the documents are. My

questions are:

 

 

 

Is it somehow possible to export the Recovery Agent without being logged in

as that user (i.e. from the recovery console)?

 

Can I do a repair install without compromising EFS and becoming locked out

from the files?

 

Are there any software out there designed to brute force the EFS technology?

 

Is there a way to restore the registry to a basic state (i.e. to that of

when it was installed) but keep the SID the same for the user account?

 

 

 

 

I know its a few questions but I've ran into lots of problems with this

computer and have tried lots of different methods to extract the information.

 

Thanks,

Adam

  • Replies 3
  • Created
  • Last Reply

Popular Days

Popular Days

Guest Adam

Guest Adam

Posted
Posted

RE: EFS & Virus Infection & Unable to login

 

Anybody??

 

"Adam" wrote:

> Hello,

> I'm fixing a computer at my work. The computer has been infected with

> lots of viruses and malware. Most of the viruses have been removed by

> plugging the hard drive into another computer and removing them that way.

>

> Unfortunately, one of the users has used EFS to encrypt lots of important

> documents. I am unable to login at all, as soon as the welcome screens quits

> after successful username and password have been entered the system hangs and

> does not complete loading.

>

> The installation of windows is not important to me but the documents are. My

> questions are:

>

>

>

> Is it somehow possible to export the Recovery Agent without being logged in

> as that user (i.e. from the recovery console)?

>

> Can I do a repair install without compromising EFS and becoming locked out

> from the files?

>

> Are there any software out there designed to brute force the EFS technology?

>

> Is there a way to restore the registry to a basic state (i.e. to that of

> when it was installed) but keep the SID the same for the user account?

>

>

>

>

> I know its a few questions but I've ran into lots of problems with this

> computer and have tried lots of different methods to extract the information.

>

> Thanks,

> Adam

Guest Patrick Keenan

Guest Patrick Keenan

Posted
Posted

Re: EFS & Virus Infection & Unable to login

 

 

"Adam" <Adam@discussions.microsoft.com> wrote in message

news:119BC5FB-63BD-4129-B9F7-3D6D5024AB2A@microsoft.com...

> Hello,

> I'm fixing a computer at my work. The computer has been infected with

> lots of viruses and malware. Most of the viruses have been removed by

> plugging the hard drive into another computer and removing them that way.

>

> Unfortunately, one of the users has used EFS to encrypt lots of important

> documents. I am unable to login at all, as soon as the welcome screens

> quits

> after successful username and password have been entered the system hangs

> and

> does not complete loading.

>

> The installation of windows is not important to me but the documents are.

> My

> questions are:

>

>

>

> Is it somehow possible to export the Recovery Agent without being logged

> in

> as that user (i.e. from the recovery console)?

 

I think you mean export the credentials, and since you log in as the

Administrator from the recovery console, the answer would be no.

 

> Can I do a repair install without compromising EFS and becoming locked out

> from the files?

 

It's unlikely, and risky at best. If you want to try this, try it on a

clone.

 

>

> Are there any software out there designed to brute force the EFS

> technology?

 

I know of none.

> Is there a way to restore the registry to a basic state (i.e. to that of

> when it was installed) but keep the SID the same for the user account?

 

Perhaps, but I wouldn't try it on the original disk. See below.

>

> I know its a few questions but I've ran into lots of problems with this

> computer and have tried lots of different methods to extract the

> information.

>

> Thanks,

> Adam

 

You seem to consider the documents to be of value, and understand that

there are many risks with EFS, that can easily lead to permanent data loss.

 

So, the thing to do is to protect the original and work from a clone.

Find a suitable hard disk that you can clone this original disk to - perhaps

make an image file on hard disk as you may be trying this more than once.

If you don't have it, clone using something like the Acronis TrueImage trial

version. This will give you a couple of weeks for effort.

 

Make an image file from the original and set the disk aside somewhere safe.

Use that image file to create a clone on another disk, and work on the copy.

If you find a process that doesn't work, you can safely start over without

having to fear that you have lost the data. This is a much more relaxing,

or at least less tense, scenario.

 

The cloning process shouldn't take you very long, and is quick if you also

have a USB2 drive adapter, about $20. The cloning process will also give

you a spot to think.

 

You may even find that part of the problem is a disk error that the new disk

helps overcome, though such an error may also damage the credentials you

need.

 

Once cloned, try getting into the account in Safe Mode, and then using

msconfig to turn everything that isn't needed to just boot OFF, including

services. Then try restarting in regular mode.

 

You can also at this point safely attempt manual registry swaps, as adapted

from this KB article:

http://support.microsoft.com/kb/307545

 

You can perform the swaps hosting the drive in another system using the USB2

drive adapter, you don't need to boot to the Recovery Console.

 

And this way, if the attempts don't work, you haven't damaged the data, only

lost a bit of time. You can go back and try again.

 

HTH, and good luck.

-pk

Guest Twayne

Guest Twayne

Posted
Posted

Re: EFS & Virus Infection & Unable to login

 

> Hello,

> I'm fixing a computer at my work. The computer has been infected

> with lots of viruses and malware. Most of the viruses have been

> removed by plugging the hard drive into another computer and removing

> them that way.

>

> Unfortunately, one of the users has used EFS to encrypt lots of

> important documents. I am unable to login at all, as soon as the

> welcome screens quits after successful username and password have

> been entered the system hangs and does not complete loading.

>

> The installation of windows is not important to me but the documents

> are. My questions are:

 

And my question is, why didn't you or someone export the keys needed to

recover those files in the very beginning? They may well be gone now so

hope for good backups in your company IT.

>

>

>

> Is it somehow possible to export the Recovery Agent without being

> logged in as that user (i.e. from the recovery console)?

No. Not now.

>

> Can I do a repair install without compromising EFS and becoming

> locked out from the files?

 

No. Not without the keys disk.

>

> Are there any software out there designed to brute force the EFS

> technology?

 

No. That's why it's such a reliable encryption and why it's so

important to export the keys and assign an agent.

>

> Is there a way to restore the registry to a basic state (i.e. to that

> of when it was installed) but keep the SID the same for the user

> account?

 

No, don't think so. I know a lot of people who tried but AFAIK it just

can not be done. Unless possibly you know the SIDS? But then even the

keys are encrypted too, so not sure it'd do any good even if you could.

 

Certainly, since this is a work computer, there are backups somewhere,

right? If not I'd find another company to work for or get real smart

real fast if you don't get fired first.

>

>

>

>

> I know its a few questions but I've ran into lots of problems with

> this computer and have tried lots of different methods to extract the

> information.

>

> Thanks,

> Adam

 Share
Go to topic listing
×
×
  • Create New...